Press "Enter" to skip to content

PyKD Tutorial – part 1

Sinaei 0

Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can’t be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together. If you aware, Windbg also supports c-like binaries as extensions so there is a praiseworthy tool called PyKD which does the hard thing and connects Python and Windbg together in a straight and usable way. The purpose of PyKD, as they mentioned, is :

This project can help to automate debugging and crash dump analysis using Python. It allows one to take the best from both worlds: the expressiveness and convenience of Python with the power of WinDbg!

You can download PyKD at this link.

Setup PyKD

To find the main extension binary files, you should find the latest version of the Bootstrapper and download its x86 and x64 versions depending to your needs, after extracting the binary files (pykd.dll) you should load it in Windbg with the following command :

In order to see if it successfully loaded or not, you should execute the following command, if you see something like this, then you’re good to go.

If you saw the above command suggestions, one of the interesting commands which can be used to update the PyKD is :

But actually, I prefer to compile the latest version from its source code rather than updating or using the PyKD.dll directly. That’s enough for the setting up and starting, in the rest of the post, we’re getting started with some useful samples of using PyKD. But the right way to get PyKD is to download its latest release and then find a file named “pykd.pyd” among other DLL files then load .pyd file.

Using PyKD Features

This section describes the general functions of PyKD.

Executing Command

The simplest thing is using the PyKD to execute and get the command result, it can be done using the following script in which r is our command and we simply print the result. You can also assign the results to a variable and separate them using Python’s regular string function.

You should save the above script into a file (e.g pykd-script.py) then load it in Windbg using the following command :

As you see the registers’ value is shown above, I usually use these kinds of scripts with t (step in) and p (step) to simulate an instrumenting environment and check what is going on (e.g a combination of instructions and registers’ value and its corresponding memory values.) even though this operation is too slow but still usable for special cases.

Getting Registers value

A better way of getting registers is using the  following sample :

Continue to run

The following command is the equivalent of go in PyKD :

Read the content of the memory

To read the contents of a special virtual address you should use something like this :

The result is :

The other variants of Load functions are loadAnsiString,loadBytes,loadCStr,loadChars,loadDWords,loadDoubles and etc.

Comparing Memory

The following script returns true if the contents of memory in two virtual addresses are equal otherwise the result is false.

Detach

As the documentation suggests,

&

Find Nearest Valid Memory Location

The following script gives the nearest valid memory location, near to 0x0.

The result is :

Finding Function Name

If you want to find the what function is located at a special address based on symbols, you should use findSymbol.

The result is :

Get Current Stack Frame

The result is :

pykd.getStack() also gives a list of stack frame objects.

Last Exception

The result is :

Finding Function Location

To get where a special function located you can use the following code : It’s like executing x KERNEL32!CreateFileW in Windbg command-line.

The result is :

Get System Version

example result :

Getting Page Attributes

One of the important functions of PyKD is getting the page attributes.

The result is :

There is also an important function called isValid which can be used to detect whether a virtual address is valid or not.

Reading and writing MSR Register

If you are in a kernel debugging, you could read MSR registers using pykd.rdmsr(value).

To write on a specific MSR you can use pykd.wrmsr(Address, Value). That’s enough for now, I’ll write the rest of this post another time in part 2, so make sure check blog more frequently. 🙂 The second part is also published here!

Leave a Reply

Your email address will not be published. Required fields are marked *